Commit Graph

24 Commits

Author SHA1 Message Date
Andrew Ayer f75c47d9ca Always store files in ~/.certspotter, even if running as root 2016-07-26 16:57:26 -07:00
Andrew Ayer 19e05b901a Remove some dead code from the scanner 2016-06-22 10:32:42 -07:00
Andrew Ayer 2c8cb1f402 Return exit code from cmd.Main instead of exiting directly
This allows the calling code to do custom cleanup.
2016-06-03 07:21:08 -07:00
Andrew Ayer 2bed88e7c5 Rework watchlist
Watchlist is now read from ~/.certspotter/watchlist by default, or from
the file specified by -watchlist (- for stdin).

By default, only exact DNS names are matched.  To match both the domain
itself and all sub-domains, prefix with a dot (e.g. .example.com).

Comments are now allowed in watchlist files.
2016-05-12 11:30:59 -07:00
Andrew Ayer b79cb31413 Move package to software.sslmate.com/src/certspotter 2016-05-04 12:19:59 -07:00
Andrew Ayer 1e582e2e0c License under the MPL 2.0 2016-05-04 11:56:13 -07:00
Andrew Ayer 670cddafbc Rename project to certspotter 2016-05-04 11:49:07 -07:00
Andrew Ayer e091186d83 Save consistency proof along with evidence of misbehavior
Although the consistency proof is neither necessary nor sufficient
to prove misbehavior by a log, this will help with debugging if a
log returns a bogus consistency proof erroneously (which seems to
be happening with the Rocketeer log lately...).
2016-04-06 08:10:06 -07:00
Andrew Ayer a071e9490a Replace embedded X509 parser with my own lightweight parser 2016-03-16 16:59:37 -07:00
Andrew Ayer 5803389588 Fix some pointer inconsistencies in code 2016-02-22 15:29:52 -08:00
Andrew Ayer 09c37cfdfd Clarify a flag 2016-02-22 15:14:17 -08:00
Andrew Ayer 8f3bd3b6ff Improve logging 2016-02-22 14:58:11 -08:00
Andrew Ayer b297ba9967 Use bits in the exit code to convey what happened 2016-02-22 14:45:50 -08:00
Andrew Ayer df6527b165 Change -all_time to only affect logs we haven't seen before
It's more useful this way - there's no sense in scanning logs we've
already scanned.

I need a better name for this switch, though.
2016-02-20 12:04:07 -08:00
Andrew Ayer ff44576c87 Save old and new STHs if consistency proof fails 2016-02-18 12:40:21 -08:00
Andrew Ayer e91d7bacbd Minor cleanup to improve encapsulation 2016-02-18 10:23:07 -08:00
Andrew Ayer b47d35a005 Rename some types/functions for clarity 2016-02-18 10:15:56 -08:00
Andrew Ayer 35eef25f4a Rename function for clarity 2016-02-18 10:09:33 -08:00
Andrew Ayer 9558efc955 Verify STH signatures 2016-02-17 16:03:49 -08:00
Andrew Ayer 4b304fd192 Audit Merkle tree when retrieving entries
Also add an -all_time command line option to retrieve all certificates,
not just the ones since the last scan.
2016-02-17 14:54:40 -08:00
Andrew Ayer b6dec7822d Overhaul to be more robust and simpler
All certificates are now parsed with a special, extremely
lax parser that extracts only the DNS names.  Only if the
DNS names match the domains we're interested in will we attempt
to parse the cert with the real X509 parser.  This ensures that
we won't miss a very badly encoded certificate that has been
issued for a monitored domain.

As of the time of commit, the lax parser is able to process every
logged certificate in the known logs.
2016-02-09 10:28:52 -08:00
Andrew Ayer a79cc26570 Include filename of saved cert in output/script invocation 2016-02-05 08:20:12 -08:00
Andrew Ayer 3f596730a0 New and simplified multi-log operation 2016-02-04 20:16:25 -08:00
Andrew Ayer a418a3686d Initial commit 2016-02-04 18:46:19 -08:00